fix: Read request data on System.Web

Author: bruno-garcia

src/Sentry/Internal/Web/SystemWebRequestEventProcessor.cs

@@ -1,27 +1,97 @@
 #if SYSTEM_WEB
 using System;
+using System.Collections.Generic;
+using System.Security.Claims;
+using System.Security.Principal;
 using System.Web;
 using Sentry.Extensibility;
+using Sentry.Protocol;
 
 namespace Sentry.Internal.Web
 {
     internal class SystemWebRequestEventProcessor : ISentryEventProcessor
     {
+        private readonly SentryOptions _options;
         internal IRequestPayloadExtractor PayloadExtractor { get; }
 
-        public SystemWebRequestEventProcessor(IRequestPayloadExtractor payloadExtractor)
-            => PayloadExtractor = payloadExtractor ?? throw new ArgumentNullException(nameof(payloadExtractor));
+        public SystemWebRequestEventProcessor(IRequestPayloadExtractor payloadExtractor, SentryOptions options)
+        {
+            _options = options ?? throw new ArgumentNullException(nameof(options));
+            PayloadExtractor = payloadExtractor ?? throw new ArgumentNullException(nameof(payloadExtractor));
+        }
 
         public SentryEvent Process(SentryEvent @event)
         {
-            if (@event != null && HttpContext.Current?.Request is HttpRequest request)
+            var context = HttpContext.Current;
+            if (context == null || @event == null)
+            {
+                return @event;
+            }
+
+            @event.Request.Method = context.Request.HttpMethod;
+            @event.Request.Url = context.Request.Path;
+            @event.Request.QueryString = context.Request.QueryString.ToString();
+
+            foreach (var key in context.Request.Headers.AllKeys)
+            {
+
+                if (!_options.SendDefaultPii
+                    // Don't add headers which might contain PII
+                    && (key == "Cookie"
+                        || key == "Authorization"))
+                {
+                    continue;
+                }
+                @event.Request.Headers[key] = context.Request.Headers[key];
+            }
+
+            if (_options?.SendDefaultPii == true)
             {
-                var body = PayloadExtractor.ExtractPayload(new SystemWebHttpRequest(request));
-                if (body != null)
+                @event.User.IpAddress = context.Request.UserHostAddress;
+                if (context.User.Identity is IIdentity identity)
+                {
+                    @event.User.Username = identity.Name;
+                    var other = new Dictionary<string, string>
+                    {
+                        { "IsAuthenticated", identity.IsAuthenticated.ToString() }
+                    };
+                    @event.User.Other = other;
+                }
+                if (context.User is ClaimsPrincipal claimsPrincipal)
                 {
-                    @event.Request.Data = body;
+                    if (claimsPrincipal.FindFirst(ClaimTypes.NameIdentifier) is Claim claim)
+                    {
+                        @event.User.Id = claim.Value;
+                    }
                 }
             }
+
+            @event.ServerName = Environment.MachineName;
+
+            // Move 'runtime' under key 'server-runtime' as User-Agent parsing done at
+            // Sentry will represent the client's
+            if (@event.Contexts.TryRemove(Runtime.Type, out var runtime))
+            {
+                @event.Contexts["server-runtime"] = runtime;
+            }
+
+            if (@event.Contexts.TryRemove(Protocol.OperatingSystem.Type, out var os))
+            {
+                @event.Contexts["server-os"] = os;
+            }
+
+            if (_options?.SendDefaultPii == true && @event.User.Username == Environment.UserName)
+            {
+                // if SendDefaultPii is true, Sentry SDK will send the current logged on user
+                // which doesn't make sense in a server apps
+                @event.User.Username = null;
+            }
+
+            var body = PayloadExtractor.ExtractPayload(new SystemWebHttpRequest(context.Request));
+            if (body != null)
+            {
+                @event.Request.Data = body;
+            }
             return @event;
         }
     }

src/Sentry/SentryOptions.cs

@@ -349,8 +349,10 @@ public SentryOptions()
                                 new DefaultRequestPayloadExtractor()
                         },
                         this,
-                        () => MaxRequestBodySize)));
+                        () => MaxRequestBodySize),
+                    this));
 #endif
+
             ExceptionProcessors
                 = ImmutableList.Create<ISentryEventExceptionProcessor>(
                     new MainExceptionProcessor(this, sentryStackTraceFactory));

test/Sentry.Tests/Internals/Web/SystemWebRequestEventProcessorTests.cs

@@ -14,6 +14,7 @@ public class SystemWebRequestEventProcessorTests
         private class Fixture
         {
             public IRequestPayloadExtractor RequestPayloadExtractor { get; set; } = Substitute.For<IRequestPayloadExtractor>();
+            public SentryOptions SentryOptions { get; set; } = new SentryOptions();
             public object MockBody { get; set; } = new object();
             public HttpContext HttpContext { get; set; }
 
@@ -26,7 +27,7 @@ public Fixture()
             public SystemWebRequestEventProcessor GetSut()
             {
                 HttpContext.Current = HttpContext;
-                return new SystemWebRequestEventProcessor(RequestPayloadExtractor);
+                return new SystemWebRequestEventProcessor(RequestPayloadExtractor, SentryOptions);
             }
         }
 
@@ -77,7 +78,7 @@ public void Process_NoBodyExtracted_NoRequestData()
 
             var actual = sut.Process(expected);
             Assert.Same(expected, actual);
-            Assert.Null(expected.InternalRequest);
+            Assert.Null(expected.Request.Data);
         }
     }
 }